Enforcing a health policy in a local area network

ABSTRACT

A method for injecting a security token into an authentication protocol response is disclosed. An authentication protocol response from a node requesting access to a network is intercepted. It is determined if the node complies with a health policy of the network. A security token is inserted into the authentication protocol response based on the compliance node.

TECHNICAL FIELD

The present disclosure relates generally to computers andcomputer-related technology. More specifically, the present disclosurerelates to enforcing a health policy in a local area network.

BACKGROUND

Computer and communication technologies continue to advance at a rapidpace. Indeed, computer and communication technologies are involved inmany aspects of a person's day. Computers commonly used includeeverything from hand-held computing devices to large multi-processorcomputer systems.

Computers are used in almost all aspects of business, industry andacademic endeavors. More and more homes are using computers as well. Thepervasiveness of computers has been accelerated by the increased use ofcomputer networks, including the Internet. One or more servers mayprovide data, services and/or may be responsible for managing othercomputers on a network. The managed computers are often referred to asnodes. A computer network may have hundreds or even thousands of managednodes.

Most companies have one or more computer networks and also makeextensive use of the Internet. The productivity of employees oftenrequires human and computer interaction. Improvements in computers andsoftware have been a force for bringing about great increases inbusiness and industrial productivity.

Maintaining and supporting computer systems is important to anyone whorelies on computers. Whether a computer or computing device is in a homeor at a business, at least some maintenance and/or support is oftenneeded. For example, sometimes there are problems with computerhardware. This computer hardware is often upgraded and replaced with newcomponents. Computer software is also frequently upgraded or replaced.Furthermore, computer systems may need to be scanned in order to detectand mitigate security threats.

Outside nodes may request access to computer networks. At such time, adetermination may be made about the credentials of the outside node toaccess resources and communicate with network nodes. In addition, anetwork administrator may consider other factors when grantingpermission to outside nodes. Therefore, benefits may be realized fromsystems and methods for enforcing a health policy in a local areanetwork.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that illustrates a system for enforcing ahealth policy in a local area network (LAN);

FIG. 2 is a block diagram of a requesting node;

FIG. 3 is a flow diagram illustrating a method for injecting a securitytoken into an authentication protocol response;

FIG. 4 is a flow diagram illustrating another method for injecting asecurity token into an authentication protocol response;

FIG. 5 is a block diagram illustrating a proxy server;

FIG. 6 is a flow diagram of a method for forwarding an encapsulationprotocol access request;

FIG. 7 is a sequence diagram illustrating one possible configuration ofaccess signaling using an authentication protocol and an encapsulationprotocol;

FIG. 8 is a sequence diagram illustrating another possible configurationof access signaling using an authentication protocol and anencapsulation protocol;

FIG. 9 is a sequence diagram illustrating another possible configurationof access signaling using an authentication protocol and anencapsulation protocol;

FIG. 10 is a sequence diagram illustrating another possibleconfiguration of access signaling using an authentication protocol andan encapsulation protocol;

FIG. 11 is a block diagram that illustrates one configuration of anetwork where a system for controlling processor usage on a computingdevice may be implemented; and

FIG. 12 illustrates various components of a computing device.

DETAILED DESCRIPTION

A method for injecting a security token into an authentication protocolresponse is disclosed. An authentication protocol response from a noderequesting access to a network is intercepted. It is determined if thenode complies with a health policy of the network. A security token isinserted into the authentication protocol response based on thecompliance node.

In one configuration, the inserting may include unconditionallyinserting the security token where a value within the security tokenindicates whether the node complies with the health policy. The node maybe allowed to unconditionally send the authentication protocol responsewith the security token to an authenticator.

In another configuration, the inserting may include conditionallyinserting the security token only if the node complies with the healthpolicy. The node may be allowed to send the authentication protocolresponse to an authenticator only if the security token is inserted. Theauthentication process may be terminated if the node does not complywith the health policy. The authentication protocol response may be anExtensible Authentication Protocol (EAP) response.

A computing device that is configured for injecting a security tokeninto an authentication protocol response is also disclosed. Thecomputing device includes a processor and memory in electroniccommunication with the processor. Executable instructions are stored inthe memory. The instructions are executable to intercept anauthentication protocol response from a node requesting access to anetwork. The instructions are also executable to determine if the nodecomplies with a health policy of the network. The instructions are alsoexecutable to insert a security token into the authentication protocolresponse based on the compliance of the node.

A non-transitory tangible computer-readable medium for injecting asecurity token into an authentication protocol response is alsodisclosed. The computer-readable medium includes executable instructionsfor intercepting an authentication protocol response from a noderequesting access to a network. The computer-readable medium alsoincludes executable instructions for determining if the node complieswith a health policy of the network. The computer-readable medium alsoincludes executable instructions for inserting a security token into theauthentication protocol response based on the compliance of the node.

A method for forwarding an encapsulation protocol access request is alsodisclosed. An encapsulation protocol access request is received from anauthenticator. It is determined whether the access request includes asecurity token that indicates a requesting node complies with a healthpolicy. The encapsulation protocol access request is forwarded to anauthentication server based on the determination.

In one configuration, the encapsulation protocol access request may beforwarded to the authentication server if a security token in the accessrequest indicates that a requesting node complies. Alternatively, anencapsulation protocol access reject message may be generated and sentto the authenticator if a security token is not included in the accessrequest or a security token is included that indicates non-compliance ofthe requesting node.

Furthermore, an encapsulation protocol access challenge may be receivedfrom the authentication server and forwarded to the authenticator. Theencapsulation protocol access request may be a Remote AuthenticationDial In User Service (RADIUS) Access-Request message.

A computing device that is configured for forwarding an encapsulationprotocol access request is also disclosed. The computing device includesa processor and memory in electronic communication with the processor.Executable instructions are stored in the memory. The instructions areexecutable to receive an encapsulation protocol access request from anauthenticator. The instructions are also executable to determine whetherthe access request includes a security token that indicates a requestingnode complies with a health policy. The instructions are also executableto forward the encapsulation protocol access request to anauthentication server based on the determination.

A non-transitory tangible computer-readable medium for forwarding anencapsulation protocol access request is also disclosed. Thecomputer-readable medium includes executable instructions for receivingan encapsulation protocol access request from an authenticator. Thecomputer-readable medium also includes executable instructions fordetermining whether the access request includes a security token thatindicates a requesting node complies with a health policy. Thecomputer-readable medium also includes executable instructions forforwarding the encapsulation protocol access request to anauthentication server based on the determination.

IEEE 802.1x is an Institute of Electrical and Electronics Engineers(IEEE) Standard that is based on Extensible Authentication Protocol(EAP) and Remote Authentication Dial In User Service (RADIUS) protocol.IEEE 802.1x may provide port-based Network Access Control (NAC). IEEE802.1x may also provide an authentication mechanism to devices wishingto connect to a local area network (LAN). A system using 802.1x mayconstruct a LAN perimeter for trust access. However if an unhealthydevice authenticates into the LAN, it may be harmful to other devicesinside the protected perimeter. Standard 802.1x may not preventunhealthy devices from authenticating into a network.

The present systems and methods describe a way to extend 802.1xprotocols to provide a mechanism that prevents unhealthy devices fromaccessing an 802.1x-protected LAN. This mechanism may extend EAP toinclude a security token that identifies whether a device that connectsto an 802.1x-enabled switch port is managed by authorized management andif the managed device complies with a health policy defined by themanagement. Based on this security token, during authentication process,an unmanaged device or an unhealthy supplicant request to access aprotected LAN may be rejected.

This mechanism may be implemented in NAC solution of LANDesk ManagementSuit release 8.8 for support EAP method MD5 and release 9.0 for supportboth EAP MD5 and PEAP.

FIG. 1 is a block diagram that illustrates a system 100 for enforcing ahealth policy in a local area network (LAN) 104. A requesting node 102may request access to the LAN 104. Since the LAN 104 may implement802.1x, the requesting node 102 may be subjected to authenticationbefore it is permitted to access LAN 104 resources. As part of theauthentication process, the requesting node 102 may include a supplicant106. As used herein, the term “supplicant” refers to a module thatcommunicates with one or more modules for the purpose of gaining accessto a network, i.e., authentication. In other words, the supplicant 106may respond to an authenticator 112 to establish its credentials. Therequesting node 102 may also include a token injector 108 that injects asecurity token 110 into an authentication protocol response 122 from thesupplicant 106, e.g., an EAP response. In one configuration, thesupplicant 106 is a user or client requesting authentication for theaccess network (e.g., LAN 104) and the token injector 108 may be in thesame physical location as the supplicant 106. In this configuration, thetoken injector 108 may inject the security token 110 into theauthentication protocol response 122 before it is sent to theauthenticator 112.

The authenticator 112 may receive an extended authentication protocolresponse 124 from the supplicant 106. The extended authenticationprotocol response 124 may be an authentication protocol response 122that includes a security token 110, e.g., an extended EAP response witha security token 110 that indicates the health of the requesting node102. The term “authenticator” 112 refers to a module (e.g., a switch oraccess point) that restricts the communication of the supplicant 106with an authentication server 116, i.e., the authenticator 112 mayverify the identity of the supplicant 106 during the authenticationprocess. Once authentication begins, the authenticator 112 may convertmessages between the authentication protocol and the encapsulationprotocol and forward converted packets between the supplicant 106 andauthentication server 116 via a proxy server 114. The authenticator 112may communicate with the supplicant 106 through a network 126. Thenetwork 126 may be wired or wireless and may use any suitable protocol,e.g., Internet Protocol (IP). The authenticator 112 may receive theextended authentication protocol response 124 and produce anencapsulation protocol response 128. In one configuration, theauthenticator 112 may encapsulate a received EAP Response into a RemoteAuthentication Dial In User Service (RADIUS) Access-Request and send itto a proxy server 114, e.g., a RADIUS proxy server.

The proxy server 114 may be a logic unit between the authenticator 112and an authentication server 116 (e.g., RADIUS server) that filters andforwards authentication packets between the authenticator 112 and theauthentication server 116 based on the security token 110.Alternatively, the proxy server 118 may reside in the authenticationserver 116. The proxy server 114 may determine security tokens 110, orlack thereof, in authentication packets and send the packets to theauthentication server 116 based on the contents of the security token110. In one configuration, the security token 110 may include data thatindicates whether the supplicant 106 complies with a health policy ofthe LAN 104. Alternatively, the fact that a security token 110 isincluded in the authentication packet may itself indicate compliancewith the health policy. The authentication server 116 may be the actualserver determining whether to accept the supplicant 106 request fornetwork access. The terms “RADIUS server” may be used interchangeablywith “authentication server” herein. After successful authentication,the supplicant 106 may be granted access to other LAN 104 resources,e.g., other managed healthy nodes 120. The managed healthy nodes 120 maybe managed by a core server 111, e.g., a LANDesk core server.

This extended 802.1x with health policy enforcement may provide amechanism that enforces a health policy on a managed device (e.g., therequesting node 102) by utilizing 802.1x authentication process. Thepresent systems and methods may permit the construction of not only atrusted LAN perimeter, but also ensure a healthy LAN. It may extend802.1x's capability of trust access to trust and health access. Anotheradvantage may be that it can make different switches and RADIUS serversthat are made by different vendors compatible with each other (as longas they support 802.1x protocols). Previously switches and servers wouldusually be from the same manufacturer, such as CISCO NAC and Huawei802.1x support solutions.

FIG. 2 is a block diagram of a requesting node 202. The requesting node202 may include a supplicant 206, a token injector 208, and a healthmodule 230. The supplicant 206 may generate an authentication protocolresponse 222 a, e.g., a standard EAP response. The authenticationprotocol response 222 a may include a response code 232 a, a responseidentifier 234 a, a response length 236 a, a response type 238 a, andresponse type-data 240 a.

In one configuration, the authentication protocol response 222 a may bean EAP response message as defined in the Internet Engineering TaskForce Request for Comments: 3748 (RFC3748). The response code 232 a maybe an octet with a value that indicates the message is a response, e.g.,a value of 2 for an EAP response message. As used herein, the term“octet” refers to a grouping of eight bits. The response identifier 234a may be an octet with a value to match the authentication protocolresponse 222 a with a corresponding authentication protocol request,i.e., from an authentication server 116. The response length 236 a mayuse two octets to indicate the length of the authentication protocolresponse 222 a. The response type 238 a may use one octet to indicatethe type of request or response. The response type-data 240 a may varywith the type of response.

A token injector 208 may intercept the authentication protocol response222 a, determine the health of the supplicant 206 and inject a securitytoken 210 a based on the health of the supplicant 206 to produce anextended authentication protocol response 224. Before injecting thesecurity token 210 a, token injector 208 may determine if the device orsupplicant 206 complies with a health policy. As used herein, the term“healthy” refers to compliance with a configuration condition, i.e., adevice includes a required patch, a required application, issufficiently monitored by a firewall, does not include prohibitedapplications, etc. Determining the health of a device may includechecking a health scan result that was performed by a healthy scan tool,i.e., a health module 230. Using a previous scan result may introduce atime frame between two scans. In this time frame, a healthy device maypossibly turn into an unhealthy device according to the health policy.If real time health scanning is performed, the supplicant 206 may be putinto a quarantine network while the health scanning is performed. Then,if the scan result indicates compliance to the health policy, thesupplicant 206 or requesting node 202 may be brought back to the regularhealthy network. However, this may introduce a longer delay of deviceconnection.

After determining the compliance to a health policy, the token injector208 may inject a security token 210 a into the authentication protocolresponse 222 a, e.g., an EAP Response. In one configuration, the tokeninjector 208 may always inject a security token 210 a into theauthentication protocol response 222 a to let authentication processcontinue (unconditional injection), i.e., the token data 246 a indicatescompliance or non-compliance with the health policy. Alternatively, thetoken injector 208 may only inject a security token 210 a when thesupplicant 206 or requesting node 202 is healthy (conditionalinjection). In such a configuration, the security token 210 a itselfindicates compliance with a health policy. If the supplicant 206 orrequesting node 202 is healthy, the token injector 208 may inject thesecurity token 210 a and continue authentication process. If thesupplicant 206 or requesting node 202 is unhealthy, the token injector208 may interrupt authentication process and the device may be placedinto a quarantine network by an authenticator 112.

The security token 210 a may include a token type 242 a, a token length244 a and token data 246 a. In one configuration, the security tokenextends an EAP response message. In this configuration, the token type242 a may use one octet to indicate how to interpret a data field 246 a.The token length 244 a may use one octet to indicate the length of thesecurity token 210 a. The token data 246 a may be the actual informationprovided by the security token 210 a.

Therefore, when the security token 210 a is added to the authenticationprotocol response 222 a, the token injector 208 produces an extendedauthentication protocol response 224. The extended authenticationprotocol response 224 may include an authentication protocol response222 b and a security token 210 b. As before, the authentication protocolresponse 222 b may include a response code 232 b, a response identifier234 b, a response length 236 b, a response type 238 b and responsetype-data 240 b. The security token 210 b may include a token type 242b, a token length 244 b and token data 246 b. This extended protocolresponse 224 may be sent to an authenticator 112 by the supplicant 206.

The format of the security token 210 a-b may be defined differentlybetween the token injector 208 and a proxy server 114 as long as itprovides enough information for the proxy server 114 to determine thehealth of the supplicant 206 or requesting node 202. In LANDesk NACimplementation, for example, the format used is Core ServerName/Identity. The response length 236 b may include the token length244 b. Therefore, when the token injector 208 injects the security token210 b into the authentication protocol response 222 a, it may modifyresponse length 236 b field.

Extended EAP with a security token 110 following the response type-data240 b may work especially well for some EAP methods such as EAP-MD5since its data length in the response type-data 240 b field is one octetwhile the response length 236 b is two octets, leaving enough room forthe security token 210 b.

FIG. 3 is a flow diagram illustrating a method 300 for injecting asecurity token 210 into an authentication protocol response 222. Themethod 300 may be performed by a token injector 208. The token injector208 may intercept 350 an authentication protocol response 222 a from asupplicant 206. The authentication protocol response 222 a may beintended for an authenticator 112 before it is intercepted. The tokeninjector 208 may determine 352 a health condition of the supplicant 206.In other words, the token injector 208 may determine 352 whether thesupplicant 206 or requesting node 202 complies with a health policy.This may include using a health module 230 to scan the supplicant 206 orrequesting node 202, e.g., using a real-time scan or previous scanresults. The token injector 208 may also set 354 a security token 210 toindicate the health condition. The token injector 208 may also insert356 the security token 210 into the authentication protocol response 222a, i.e., to form an extended authentication protocol response 224. Themethod 300 may unconditionally inject a security token 210 into theauthentication protocol response 222 a with the token data 246 fieldindicating compliance or non-compliance with the health policy. Thetoken injector 208 may also return 358 an indication to the supplicant206 that the security token 210 has been injected.

In one configuration, the token injector 208 may inject the securitytoken 210 during the supplicant 206 response process. The token injector208 may operate as a function call within the requesting node 202. Inother words, the token injector 208 may be called as part of thesupplicant's packet build up. If the token injector 208 returns a valueindicating that the security token 210 has been successfully injected,the supplicant's packet build may continue. If the token injector 208does not return a value indicating that the security token 210 has beensuccessfully injected, the supplicant's packet build may be interrupted.Therefore, while the token injector 208 may not itself send the extendedauthentication protocol response 224 to the authenticator 112, it mayallow or deny the supplicant 206 to do so.

FIG. 4 is a flow diagram illustrating another method 400 for injecting asecurity token 210 into an authentication protocol response 222. Themethod 400 may be performed by a token injector 208. The token injector208 may intercept 460 an authentication protocol response 222 a from asupplicant 206. The authentication protocol response 222 a may beintended for an authenticator 112 before it is intercepted. The tokeninjector 208 may determine 462 if the supplicant 206 is healthyaccording to a health policy. In other words, the token injector 208 maydetermine whether the supplicant 206 or requesting node 202 complieswith a health policy. This may include using a health module 230 to scanthe supplicant 206 or requesting node 202, e.g., using a real-time scanor previous scan results. If the supplicant 206 or requesting node 202is not healthy, the token injector 208 may terminate 464 theauthentication process. If the supplicant 206 or requesting node 202 ishealthy, the token injector 208 may insert 466 a security token 210 intothe authentication protocol response 222 a and return 468 an indicationto the supplicant 206 that the security token has been injected. Thesupplicant 206 may also send 468 the authentication protocol response toan authenticator 112, i.e., an extended authentication protocol response224 is sent. Therefore, the token injector 208 may conditionally injectthe security token 210 rather than unconditionally inject the securitytoken 210. In the conditional injection method 400, the presence of thesecurity token 210 may indicate the health of the supplicant 206 orrequesting node 202. This conditional injection may also make thesecurity token 210 size smaller and reduce the work load for a proxyserver 114.

FIG. 5 is a block diagram illustrating a proxy server 514. The proxyserver 514 may act as a relay between an authenticator 112 and anauthentication server 116, e.g., using the RADIUS protocol as defined inRFC2865. The proxy server 514 may be a logic unit that runs instandalone hardware, resides with a RADIUS server 116 in the samehardware or as a server plug-in. The proxy server 514 may examine asecurity token 510 that was injected into an extended authenticationprotocol response 524 a (along with the original authentication protocolresponse 522). The extended authentication protocol response 524 a maybe wrapped in an encapsulation protocol access request 528 a, e.g., aRADIUS Request. The proxy server 514 may forward the receivedencapsulation protocol access request 528 a to an authentication server116 based on the security token 510.

The proxy server 514 may include an encapsulation protocol module 572that unwraps the extended authentication protocol response 524 b. In oneconfiguration, an EAP Response may be wrapped in the RADIUS name/valuepair attribute of a RADIUS Request, i.e., the EAP Response from asupplicant 106 may be converted into a RADIUS Request by anauthenticator 112. After the encapsulation protocol module 572 unwrapsthe extended authentication protocol response 524 b, a token analyzer574 may look for a security token 510. In an unconditional injectionsystem, the proxy server 514 may forward the encapsulation protocolaccess request 528 b to an authentication server if a security token 510is found and the token does not indicate an unhealthy status, e.g., aRADIUS request may be forwarded to a RADIUS server. In a conditionalinjection system, the proxy server 514 may forward the encapsulationprotocol access request 528 b to an authentication server if a securitytoken 510 is found. If a token analyzer 574 does not find the securitytoken 510 in the extended authentication protocol response 524 b (or thesecurity token 510 indicates an unhealthy status in an unconditionalinjection system), the encapsulation protocol module 572 may generate anencapsulation protocol access reject message 570 and send it to theauthenticator 112 to abort the authentication process. For example, theencapsulation protocol access reject message 570 may be a RADIUSAccess-Reject. An authenticator 112 may place the requesting node 102 inthe quarantine network upon receiving the encapsulation protocol accessreject message 570.

The proxy server 514 may share the same encryption data that is sharedbetween the authenticator 112 and authentication server 116. To anauthenticator 112, the proxy server 514 may appear to be anauthentication server 116. To an authentication server 116, the proxyserver 514 may appear to be an authenticator 112. The proxy server 514may communicate with the authenticator 112 using the standard 1812/1645port. Therefore, if the proxy server 514 is a logic unit that physicallyresides in the same physical hardware as the authentication server 116,the authentication server 116 may be configured to use a different portso that the RADIUS server ports at the authenticator 112 do not need tobe reconfigured. If the authentication server 116 provides a call backmechanism, the proxy server 514 may be a plug-in to the authenticationserver 116. For example, LANDesk NAC solution provides this kind ofplug-in along with a proxy server 514 option when Microsoft's InternetAuthentication Service (IAS) is used as the authentication server 116and the user chooses plug-in instead of RADIUS Proxy.

FIG. 6 is a flow diagram of a method 600 for forwarding an encapsulationprotocol access request 528. The method 600 may be performed by a proxyserver 514, e.g., a RADIUS server. The proxy server 514 may receive 676an encapsulation protocol access request 528 from an authenticator 112,e.g., RADIUS Access-Request. The proxy server 514 may also determine 678an extended authentication protocol response 524 that is wrapped in theencapsulation protocol access request 528. In other words, an EAPResponse may be wrapped in a RADIUS Access-Request. The proxy server 514may also determine 680 whether a security token 510 indicates a healthyrequesting node. If there is no security token 510 (in a conditionalinjection system) or the security token 510 indicates an unhealthyrequesting node (in an unconditional injection system), the proxy server514 may generate 684 an encapsulation protocol access reject message 570and send 686 it to the authenticator 112, e.g., a RADIUS Access-Reject.If, however, a security token 510 indicates a healthy requesting node(by its presence in a conditional injection system or by its data in anunconditional injection system), the proxy server 514 may forward 682the encapsulation protocol access request 528 to an authenticationserver 116, e.g., forward a RADIUS Access-Request to its representedRADIUS server.

The proxy server 514 may also forward encapsulation protocol accesschallenge messages received from an authentication server 116 to anauthenticator 112. In one configuration, this may include receiving aRADIUS Access-Challenge from a RADIUS server and forwarding it to theauthenticator 112.

FIG. 7 is a sequence diagram 700 illustrating one possible configurationof access signaling using an authentication protocol and anencapsulation protocol. In this configuration, a supplicant 706 and anauthenticator 712 may communicate using EAP (layer 2 protocol in 802.1x)and the authenticator 712 and a RADIUS server 716 may communicate usingRADIUS (layer 3 protocol in 802.1x). When the supplicant 706 wants toconnect to a network, it may use EAP OVER LAN (EAPOL) to send an EAPOLrequest 722 to the authenticator 712, e.g., EAPOL/Start message. Thisstep may not be shown in subsequent sequence diagrams. The authenticator712 may send an EAP Request/Identity message 724 to the supplicant 706.The supplicant 706 may receive the identity via a login prompt or fromcache and send the identity to the authenticator 712 as an EAPResponse/Identity 726 message. The authenticator 712 may convert the EAPResponse/Identity 726 to a RADIUS Access-Request 728 that wraps EAPResponse 726 as a RADIUS name/value pair attribute and sends it to theRADIUS server 716. The RADIUS server 716 may generate a RADIUSAccess-Challenge 730 message with EAP type configured in the RADIUSserver 716 for the selected authentication method as RADIUS name/valuepair attribute, and then send it to the authenticator 712. Theauthenticator 712 may convert the RADIUS Access-Challenge 730 to an EAPRequest 732 and send it to the supplicant 706. The supplicant 706 maysend an EAP Response 734 that includes the credential to theauthenticator 712. The authenticator 712 may convert the EAP Response734 to a RADIUS Access-Request 736, and send it to the RADIUS server716. For some authentication methods, such as Protected EAP (PEAP),multiple Access-Challenges 730 and Access-Requests 728 may be exchangedfor information or key exchange. The RADIUS server 716 may verify thecredential in the EAP Response 734 and send a RADIUS Access-Accept orAccess-Reject 738 to the authenticator 712 depending on the result ofthe credential verification. The authenticator 712 may convert theRADIUS Access-Accept/Access-Reject 738 to EAP Success/Failure 740, andthen send it to the supplicant 706 to finish the authentication process.Meanwhile, if the authenticator 712 receives an Access-Accept 738, theport may be opened. However, if the authenticator 712 receives anAccess-Reject 738, the authenticator 712 may switch the port to guestvirtual LAN (guest-VLAN) or default-VLAN.

FIG. 8 is a sequence diagram 800 illustrating another possibleconfiguration of access signaling using an extended authenticationprotocol and an encapsulation protocol. In this configuration, asupplicant 806 and an authenticator 812 may communicate using EAP (layer2 protocol in 802.1x) and the authenticator 812, a proxy server 814 anda RADIUS server 816 may communicate using RADIUS (layer 3 protocol in802.1x). The authenticator 812 may send a Request/Identity 824 messageto the supplicant 806 after receiving an EAPOL/Start message. Thesupplicant 806 may receive the identity (via a login prompt or fromcache), and may send the identity to the authenticator 812 as an EAPResponse/Identity 826 message. The authenticator 812 may convert the EAPResponse/Identity 826 to a RADIUS Access-Request 828 a that includes theEAP Response/Identity 826 as a RADIUS name/value pair attribute and sendthe request to the proxy server 814. The proxy server 814 may forwardthis RADIUS Access-Request 828 b to the RADIUS server 816. The RADIUSserver 816 may generate a RADIUS Access-Challenge 830 a with the EAPtype configured in the RADIUS server 816 as the selected authenticationmethod, and then send the RADIUS Access-Challenge 830 a to the proxyserver 814. The proxy server 814 may forward the RADIUS Access-Challenge830 b to the authenticator 812.

The authenticator 812 may convert the RADIUS Access-Challenge 830 b toan EAP Request 832 and send it to the supplicant 806. The supplicant 806may generate and send an EAP Response 834 that includes authenticationcredentials. The EAP Response 834 may be intercepted by the tokeninjector 808 during the response build up process. The token injector808 may check the compliance of a device (e.g., requesting node) with ahealth policy. In this sequence diagram 800, the result of check isfine. The token injector 808 may inject a security token into the EAPResponse 834, adjust EAP Length field and allow continuing ofauthentication process. In other words, the sequence diagram 800 mayillustrate a token injector 808 that uses unconditional injection. Thesupplicant 806 may send the EAP Response with security token 835 a tothe authenticator 812. The authenticator 812 may convert EAP Response835 b to a RADIUS Access-Request 837 a, and send it to the proxy server814. The proxy server 814 may examine the EAP Response field that iswrapped in the RADIUS Access-Request 837 a for the security token. Inthis sequence diagram 800, the proxy server 814 finds the security tokenand forwards the Access-Request 837 b to the RADIUS server 816. TheRADIUS server 816 may verify the credential supplied by supplicant 806in the EAP Response, generate a RADIUS-Accept 838 a if the credential iscorrect, or generate a RADIUS-Reject 838 a if verification fails, andthen sends it to the proxy server 814. The proxy server 814 may forwardthe RADIUS Accept/Reject 838 b to the authenticator 812. Theauthenticator 812 may convert the RADIUS Access-Accept/Access-Reject 838b to an EAP Success/Failure 840 message and send it to the supplicant806. Meanwhile, if the authenticator 812 receives a RADIUS Access-Accept838 b, the port may be opened. However, if the authenticator 812receives an Access-Reject 838 b, the authenticator 812 may switch theport to guest-VLAN or default-VLAN.

FIG. 9 is a sequence diagram 900 illustrating another possibleconfiguration of access signaling using an authentication protocol andan encapsulation protocol. As with the sequence diagram 800 illustratedin FIG. 8, a supplicant 906 and an authenticator 912 may communicateusing EAP and the authenticator 912, a proxy server 914 and a RADIUSserver 916 may communicate using RADIUS. The first eight illustratedmessages in the sequence diagram 900 may correspond to the first eightmessages of the previous sequence diagram 800. In other words, the EAPRequest/Identity 924, EAP Response/Identity 926, RADIUS Access-Request928 a-b, RADIUS Access-Challenge 930 a-b, EAP Request 932 and EAPResponse 934 in the sequence diagram 900 may correspond with the EAPRequest/Identity 824, EAP Response/Identity 826, RADIUS Access-Request828 a-b, RADIUS Access-Challenge 830 a-b, EAP Request 832 and EAPResponse 834 in the previous sequence diagram 800.

However, after the token injector 908 intercepts the EAP Response 934,the sequence diagram 900 illustrates a configuration where thesupplicant 906 is not healthy, i.e., it does not comply with a healthpolicy of the LAN. Therefore, when the token injector 908 discovers thatthe supplicant 906 is unhealthy (and the token injector 908 usesconditional injection), it may terminate 942 the authentication process,which may cause the authenticator 912 to place the supplicant 906 in aquarantine network.

FIG. 10 is a sequence diagram 1000 illustrating another possibleconfiguration of access signaling using an authentication protocol andan encapsulation protocol. In this configuration, however, thesupplicant 1006 may be a non-authorized supplicant 1006, i.e., it doesnot include an authorized management agent. In other words, thenon-authorized supplicant 1006 may not have a token injector, therefore,the authentication packet may be dropped by the proxy server 1014 andthe authentication process may be interrupted. The first sevenillustrated messages in the sequence diagram 1000 may correspond to thefirst seven messages of the previous sequence diagram 900. In otherwords, the EAP Request/Identity 1024, EAP Response/Identity 1026, RADIUSAccess-Request 1028 a-b, RADIUS Access-Challenge 1030 a-b and EAPRequest 1032 in the sequence diagram 1000 may correspond with the EAPRequest/Identity 924, EAP Response/Identity 926, RADIUS Access-Request928 a-b, RADIUS Access-Challenge 930 a-b and EAP Request 932 in theprevious sequence diagram 900.

In this configuration, the non-authorized supplicant 1006 may generateand send an EAP Response 1043 to the authenticator 1012, as in astandard 802.1x system. There may not be a token injector interceptionas before (because the supplicant 1006 is not authorized). Theauthenticator 1012 may convert the EAP Response 1043 to a RADIUSAccess-Request 1044 and send it to the proxy server 1014. In thisconfiguration, the proxy server 1014 may not be able to find thesecurity token in the EAP Response 1043 that is wrapped in RADIUSAccess-Request 1044. Therefore, instead of forwarding the RADIUSAccess-Request 1044 to the RADIUS server 1016, the proxy server 1016 maygenerate a RADIUS Access-Reject 1046 and send it to the authenticator1012. The authenticator 1012 may convert the RADIUS Access-Reject 1046to an EAP Failure 1048, and send it to the supplicant 1006. This maycause the authenticator 1012 to place the supplicant 1006 in aquarantine network.

FIG. 11 is a block diagram that illustrates one configuration of anetwork where a system for controlling processor usage on a computingdevice may be implemented. An administrative system 1102 is connected toa router 1180. The router 1180 is connected to switches 1182 a, 1182 b,1182 c. The switch 1182 a is connected to several nodes 1112 a, 1112 b,1112 c, etc. via their respective subnets 1184 a, 1184 b, 1184 c. Theswitch 1182 b is connected to several nodes 1112 d, 1112 e, 1112 f, etc.via their respective subnets 1184 d, 1184 e, 1184 f. The switch 1182 cis connected to several nodes 1112 g, 1112 h, 1112 i, etc. via theirrespective subnets 1184 g, 1184 h, 1184 i. Although FIG. 11 only showsone router 1180, and a limited number of switches 1182, subnets 1184,and nodes 1112, many and varied numbers of routers 1180, switches 1182,subnets 1184, and nodes 1112 may be included in networks and/or systemswhere a system for controlling processor usage on a computing device maybe implemented.

The administrative system 1102 may include an authentication server 116,a proxy server 114, or both. The authenticator 112 may be implemented ina switch 1182 or a router 1180. The nodes 1112 may be requesting nodes102 and may include a supplicant 106, token injector 108, or both.

FIG. 12 illustrates various components that may be utilized in anadministrative system 1202 and/or a managed node 1212. The illustratedcomponents may be located within the same physical structure or inseparate housings or structures.

The administrative system 1202 and/or a managed node 1212 may implementan authentication server 116, a proxy server 114, an authenticator 112or a requesting node 102.

The administrative system 1202 and/or managed node 1212 may include aprocessor 1296 and memory 1286. The memory 1286 may include instructions1288 a and data 1290 a. The processor 1296 controls the operation of theadministrative system 1202 and/or managed node 1212 and may be, forexample, a microprocessor, a microcontroller, a digital signal processor(DSP) or other device known in the art. The processor 1296 typicallyperforms logical and arithmetic operations based on program instructions1288 b and/or data 1290 b stored from the memory 1286.

The administrative system 1202 and/or managed node 1212 typically mayinclude one or more communication interfaces 1294 for communicating withother electronic devices. The communication interfaces 1294 may be basedon wired communication technology, wireless communication technology, orboth. Examples of different types of communication interfaces 1294include a serial port, a parallel port, a Universal Serial Bus (USB), anEthernet adapter, an IEEE 1294 bus interface, a small computer systeminterface (SCSI) bus interface, an infrared (IR) communication port, aBluetooth wireless communication adapter, and so forth.

The administrative system 1202 and/or managed node 1212 typically mayinclude one or more input devices 1298 and one or more output devices1292. Examples of different kinds of input devices 1298 include akeyboard, mouse, microphone, remote control device, button, joystick,trackball, touchpad, lightpen, etc. Examples of different kinds ofoutput devices 1292 include a speaker, printer, etc. One specific typeof output device which may be typically included in a computer system isa display device 1276. Display devices 1276 used with configurationsdisclosed herein may utilize any suitable image projection technology,such as a cathode ray tube (CRT), liquid crystal display (LCD),light-emitting diode (LED), gas plasma, electroluminescence, or thelike. A display controller 1299 may also be provided, for convertingdata stored in the memory 1286 into text, graphics, and/or moving images(as appropriate) shown on the display device 1276.

Of course, FIG. 12 illustrates only one possible configuration of anadministrative system 1202 and/or managed node 1212. Various otherarchitectures and components may be utilized.

In the above description, reference numbers have sometimes been used inconnection with various terms. Where a term is used in connection with areference number, this is meant to refer to a specific element that isshown in one or more of the Figures. Where a term is used without areference number, this is meant to refer generally to the term withoutlimitation to any particular Figure.

The term “determining” encompasses a wide variety of actions and,therefore, “determining” can include calculating, computing, processing,deriving, investigating, looking up (e.g., looking up in a table, adatabase or another data structure), ascertaining and the like. Also,“determining” can include receiving (e.g., receiving information),accessing (e.g., accessing data in a memory) and the like. Also,“determining” can include resolving, selecting, choosing, establishingand the like.

The phrase “based on” does not mean “based only on,” unless expresslyspecified otherwise. In other words, the phrase “based on” describesboth “based only on” and “based at least on.”

The term “processor” should be interpreted broadly to encompass ageneral purpose processor, a central processing unit (CPU), amicroprocessor, a digital signal processor (DSP), a controller, amicrocontroller, a state machine, and so forth. Under somecircumstances, a “processor” may refer to an application specificintegrated circuit (ASIC), a programmable logic device (PLD), a fieldprogrammable gate array (FPGA), etc. The term “processor” may refer to acombination of processing devices, e.g., a combination of a DSP and amicroprocessor, a plurality of microprocessors, one or moremicroprocessors in conjunction with a DSP core, or any other suchconfiguration.

The term “memory” should be interpreted broadly to encompass anyelectronic component capable of storing electronic information. The termmemory may refer to various types of processor-readable media such asrandom access memory (RAM), read-only memory (ROM), non-volatile randomaccess memory (NVRAM), programmable read-only memory (PROM), erasableprogrammable read only memory (EPROM), electrically erasable PROM(EEPROM), flash memory, magnetic or optical data storage, registers,etc. Memory is said to be in electronic communication with a processorif the processor can read information from and/or write information tothe memory. Memory that is integral to a processor is in electroniccommunication with the processor.

The terms “instructions” and “code” should be interpreted broadly toinclude any type of computer-readable statement(s). For example, theterms “instructions” and “code” may refer to one or more programs,routines, sub-routines, functions, procedures, etc. “Instructions” and“code” may comprise a single computer-readable statement or manycomputer-readable statements.

The term “computer-readable medium” refers to any availablenon-transitory tangible medium that can be accessed by a computer orprocessor. By way of example, and not limitation, a computer-readablemedium may comprise RAM, ROM, EEPROM, CD-ROM or other optical diskstorage, magnetic disk storage or other magnetic storage devices, or anyother medium that can be used to carry or store desired program code inthe form of instructions or data structures and that can be accessed bya computer. Disk and disc, as used herein, includes compact disc (CD),laser disc, optical disc, digital versatile disc (DVD), floppy disk andBlu-ray® disc where disks usually reproduce data magnetically, whilediscs reproduce data optically with lasers.

Software or instructions may also be transmitted over a transmissionmedium. For example, if the software is transmitted from a website,server, or other remote source using a coaxial cable, fiber optic cable,twisted pair, digital subscriber line (DSL), or wireless technologiessuch as infrared, radio, and microwave, then the coaxial cable, fiberoptic cable, twisted pair, DSL, or wireless technologies such asinfrared, radio, and microwave are included in the definition oftransmission medium.

The methods disclosed herein comprise one or more steps or actions forachieving the described method. The method steps and/or actions may beinterchanged with one another without departing from the scope of theclaims. In other words, unless a specific order of steps or actions isrequired for proper operation of the method that is being described, theorder and/or use of specific steps and/or actions may be modifiedwithout departing from the scope of the claims.

It is to be understood that the claims are not limited to the preciseconfiguration and components illustrated above. Various modifications,changes and variations may be made in the arrangement, operation anddetails of the systems, methods, and apparatus described herein withoutdeparting from the scope of the claims.

What is claimed is:
 1. A method for injecting a security token into anauthentication protocol response, comprising: configuring at least oneprocessor to perform the functions of: intercepting the authenticationprotocol response sent from a node requesting access to a network afterreceiving, at said node, a request/identity message from anauthenticator; determining, at the node requesting access to thenetwork, if the node complies with a health policy of the network;inserting a security token by the access requesting node into theauthentication protocol response based on the compliance of the node,wherein a value within the security token indicates whether the nodecomplies with the health policy; and forwarding said insertedauthentication protocol response to the authenticator that restrictscommunications between the access requesting node and an authenticationserver in the network.
 2. The method of claim 1, wherein the insertingcomprises unconditionally inserting the security token.
 3. The method ofclaim 2, further comprising allowing the node to unconditionally sendthe authentication protocol response with the security token to anauthenticator.
 4. The method of claim 1, wherein the inserting comprisesconditionally inserting the security token only if the node complieswith the health policy.
 5. The method of claim 4, further comprisingallowing the node to send the authentication protocol response to anauthenticator only if the security token is inserted.
 6. The method ofclaim 4, further comprising terminating an authentication process if thenode does not comply with the health policy.
 7. The method of claim 1,wherein the authentication protocol response is an ExtensibleAuthentication Protocol (EAP) response.
 8. A computing device that isconfigured for injecting a security token into an authenticationprotocol response, comprising: a processor; memory in electroniccommunication with the processor; instructions stored in the memory, theinstructions being executable to: intercept the authentication protocolresponse sent from a node requesting access to a network afterreceiving, at said node, a request/identity message from anauthenticator; determine, at the node requesting access to the network,if the node complies with a health policy of the network; insert asecurity token by the access requesting node into the authenticationprotocol response based on the compliance of the node, wherein a valuewithin the security token indicates whether the node complies with thehealth policy; and forwarding said inserted authentication protocolresponse to the authenticator that restricts communications between theaccess requesting node and an authentication server in the network. 9.The computing device of claim 8, wherein the instructions executable toinsert comprise instructions executable to unconditionally insert thesecurity token.
 10. The computing device of claim 9, further comprisinginstructions executable to allow the node to unconditionally send theauthentication protocol response with the security token to anauthenticator.
 11. The computing device of claim 8, wherein theinstructions executable to insert comprise instructions executable toconditionally insert the security token only if the node complies withthe health policy.
 12. The computing device of claim 11, furthercomprising instructions executable to allow the node to send theauthentication protocol response to an authenticator only if thesecurity token is inserted.
 13. The computing device of claim 11,further comprising instructions executable to terminate anauthentication process if the node does not comply with the healthpolicy.
 14. The computing device of claim 8, wherein the authenticationprotocol response is an Extensible Authentication Protocol (EAP)response.
 15. A non-transitory tangible computer-readable medium forinjecting a security token into an authentication protocol responsecomprising executable instructions for: intercepting the authenticationprotocol response sent from a node requesting access to a network afterreceiving, at said node, a request/identity message from anauthenticator; determining, at the node requesting access to thenetwork, if the node complies with a health policy of the network;inserting a security token by the access requesting node into theauthentication protocol response based on the compliance of the node,wherein a value within the security token indicates whether the nodecomplies with the health policy; and forwarding said insertedauthentication protocol response to the authenticator that restrictscommunications between the access requesting node and an authenticationserver in the network.
 16. The computer-readable medium of claim 15,wherein the instructions for inserting comprise instructions forunconditionally inserting the security token.
 17. The computer-readablemedium of claim 16, further comprising executable instructions forallowing the node to unconditionally send the authentication protocolresponse with the security token to an authenticator.
 18. Thecomputer-readable medium of claim 15, wherein the instructions forinserting comprise instructions for conditionally inserting the securitytoken only if the node complies with the health policy.
 19. Thecomputer-readable medium of claim 18, further comprising executableinstructions for allowing the node to send the authentication protocolresponse to an authenticator only if the security token is inserted. 20.The computer-readable medium of claim 18, further comprising executableinstructions for terminating an authentication process if the node doesnot comply with the health policy.
 21. The computer-readable medium ofclaim 15, wherein the authentication protocol response is an ExtensibleAuthentication Protocol (EAP) response.
 22. A method for forwarding anencapsulation protocol access request, comprising: configuring at leastone processor to perform the functions of: receiving at a proxy serverthe encapsulation protocol access request from an authenticator afterthe authenticator receives an authentication protocol response from arequesting node; determining whether the access request includes asecurity token that indicates the requesting node has determined whetherthe requesting node complies with a health policy; and forwarding theencapsulation protocol access request to an authentication server basedon the determination.
 23. The method of claim 22, further comprising: ifa security token in the access request indicates that a requesting nodecomplies: forwarding the encapsulation protocol access request to theauthentication server.
 24. The method of claim 22, further comprising:if a security token is not included in the access request or a securitytoken is included that indicates non-compliance of the requesting node:generating an encapsulation protocol access reject message; and sendingthe access reject message to the authenticator.
 25. The method of claim22, further comprising: receiving an encapsulation protocol accesschallenge from the authentication server; and forwarding the accesschallenge to the authenticator.
 26. The method of claim 22, wherein theencapsulation protocol access request is a Remote Authentication Dial InUser Service (RADIUS) Access-Request message.
 27. A computing devicethat is configured for forwarding an encapsulation protocol accessrequest, comprising: a processor; memory in electronic communicationwith the processor; instructions stored in the memory, the instructionsbeing executable to: receive at a proxy server the encapsulationprotocol access request from an authenticator after the authenticatorreceives an authentication protocol response from a requesting node;determine whether the access request includes a security token thatindicates the requesting node has determined whether the requesting nodecomplies with a health policy; and forward the encapsulation protocolaccess request to an authentication server based on the determination.28. The computing device of claim 27, further comprising instructionsexecutable to: if a security token in the access request indicates thata requesting node complies: forward the encapsulation protocol accessrequest to the authentication server.
 29. The computing device of claim27, further comprising instructions executable to: if a security tokenis not included in the access request or a security token is includedthat indicates non-compliance of the requesting node: generate anencapsulation protocol access reject message; and send the access rejectmessage to the authenticator.
 30. The computing device of claim 27,further comprising instructions executable to: receive an encapsulationprotocol access challenge from the authentication server; and forwardthe access challenge to the authenticator.
 31. The computing device ofclaim 27, wherein the encapsulation protocol access request is a RemoteAuthentication Dial In User Service (RADIUS) Access-Request message. 32.A non-transitory tangible computer-readable medium for forwarding anencapsulation protocol access request comprising executable instructionsfor: receiving at a proxy server the encapsulation protocol accessrequest from an authenticator after the authenticator receives anauthentication protocol response from a requesting node; determiningwhether the access request includes a security token that indicates therequesting node has determined whether the requesting node complies witha health policy; and forwarding the encapsulation protocol accessrequest to an authentication server based on the determination.
 33. Thecomputer-readable medium of claim 32, further comprising executableinstructions for: if a security token in the access request indicatesthat a requesting node complies: forwarding the encapsulation protocolaccess request to the authentication server.
 34. The computer-readablemedium of claim 32, further comprising executable instructions for: if asecurity token is not included in the access request or a security tokenis included that indicates non-compliance of the requesting node:generating an encapsulation protocol access reject message; and sendingthe access reject message to the authenticator.
 35. Thecomputer-readable medium of claim 32, further comprising executableinstructions for: receiving an encapsulation protocol access challengefrom the authentication server; and forwarding the access challenge tothe authenticator.
 36. The computer-readable medium of claim 32, whereinthe encapsulation protocol access request is a Remote AuthenticationDial In User Service (RADIUS) Access-Request message.